294b080db5e85338fb59af6004da0a5a4d8c6dc1df0f2480ea56c81bb906f3a5

General

Target

49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
Size

2.7MB
MD5

49eafebd40a28a035d7d02d32d6dd535
SHA1

4e9c322468ac1078fa363497462a32f3bae0a011
SHA256

294b080db5e85338fb59af6004da0a5a4d8c6dc1df0f2480ea56c81bb906f3a5
SHA512

8acf4b474642f356cdacccc60c678c1964b5ab42baa15e236916742dc119df659a1f855b4dd5d862fafb92a201640714e0c67627b0147f926227ce50e3734c89
SSDEEP

49152:o7QN5mLUafronnHtAaW/+L22CeC7Qfzm0bniMOD7vRAByO2DzM:o7QstMtAxWfzmbxD7vRA0j

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
1580	49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49eafebd40a28a035d7d02d32d6dd535_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Operate.ini

Filesize
579B

MD5
921a391e44c17fdb410a9e49e66503b4

SHA1
01d243bfa1a352710a5c67081e5b8876d33874ee

SHA256
c3fe5e2f5d197ed4f7c8ae01b3eeba00dedd2befc0a6d9996f1a4c9c8ccce85c

SHA512
793f2f8c8e7d6500a0ecbf3725234d68ecfaf4178da285ec0530bdbf62ecf282a67265c4ef5b658f4c1d99397035cbaf5440b644d4495cb260711f91f3c8b4ea

Download Submit
memory/1580-45-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-3-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-4-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/1580-5-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-0-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-28-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-29-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-30-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-36-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-37-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-38-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-39-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-40-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-41-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-42-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-43-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-44-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-46-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-47-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-48-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-49-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-50-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-51-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-52-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-53-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-54-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-55-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-56-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-57-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-58-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-59-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-60-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download
memory/1580-61-0x0000000000400000-0x000000000105F000-memory.dmp

Filesize
12.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads